Security researchers have raised concerns over a significant rise in campaigns distributing banking malware through the exploitation of the Google Cloud Run Service. Moreover, there are indications that this threat is extending beyond its original focus in Latin America.
Exploitation of Google Cloud Run
Google Cloud Run, a paid service, enables administrators to develop and deploy various applications and services on the Google Cloud platform seamlessly.
Cisco Talos researchers have observed a surge in campaigns since September 2023, exploiting Google Cloud Run to propagate banking Trojans such as Astaroth, Mekiotio, and Ousaban strains.
In their blog post, they noted similarities in timeframes, storage usage, and distribution methods among these campaigns, suggesting potential links between them.
Read also: Mobile Security Firm Zimperium Analyzes 10 Banking Trojans on Android: Here's How to Stay Safe
Geographical Expansion of the Threat
Initially concentrated in Latin America, these campaigns have begun to infiltrate Europe and North America. While most phishing emails are in Spanish, some have been detected in Italian, indicating a widening geographical scope, Dark Reading reports.
Tactics Used in the Attacks
The attack typically commences with phishing emails. These messages often masquerade as invoices or financial documents, sometimes impersonating local government tax agencies.
For instance, an email pretending to originate from Argentina's tax agency, Administración Federal de Ingresos Públicos (AFIP), was identified as part of these campaigns.
These emails contain malicious links leading to Cloud Run Web services controlled by threat actors. In numerous instances, the banking Trojan was distributed via a malicious Microsoft Installer directly from the adversarial Cloud Run Web service.
"It is worth noting that attackers are deploying cloaking mechanisms to avoid detection. One of the cloaking approaches observed is using geoplugin. Some Google Cloud Run domains were redirected to a page for checking Proxy and Crawler and a threat level is given based on the information collected," the Cisco Talos team explained.
The proliferation of banking malware through Google Cloud Run highlights the evolving tactics of cybercriminals. As this threat continues to spread globally, organizations and users must remain vigilant and improve their security measures to mitigate the risks posed by such attacks.
Recently, we reported that Google Play was plagued with over 150,000 downloads of the notorious Anatsa banking trojan. According to the report, this malware was targeting Europe-based Android users.
In case you see suspicious apps like "PDF Reader: File Manager" and "Phone Cleaner - File Explorer," ignore them on the PlayStore. They carry the malware that can infect your device.
To see our latest reports about malware, just click here for more updates about the cybersecurity incidents happening in several parts of the world.